Primary Group SID

Andrew Bartlett abartlet at
Sat Feb 14 21:57:04 GMT 2004

On Sun, 2004-02-15 at 01:41, Bostjan Golob wrote:
> Attached is a patched patch that first checks if it can get the
> gidNumber from LDAP. If not, it goes through getpwnam() to acquire the
> primary gid number.

Except that this isn't quite how you have it.  Before we can read
gidNumber, we should determine that we have a posixAccount.  Basically,
we need to retrieve the old 'ldap trust ids' code, and use it.  I think
this got lost in the IDMAP removal, before 3.0 shipped.

(Grab an old CVS copy of pdb_ldap, and see how it was done).

> If primary GID->SID translation is too expensive for init_sam_from_ldap,
> I can patch get_domain_user_groups from rpc_server/srv_util.c to do it
> instead when enumerating the user's groups. It will require a getpwnam()
> call though, and I don't know how much code checks the primary group SID
> only.

No, this belongs in the backend.  There is also some stuff about the
smb.conf substitution code that would benefit from this information - we
lost %u and %g support when we lost the posix info.

Jerry is also going to need to look at this, as he pulled most of this
out, and I need to know what was IDMAP murder, and what was due to other

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list